From owner-freebsd-security Thu Oct 4 19:42:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.lewman.org (lowrider.rootme.org [209.67.240.51]) by hub.freebsd.org (Postfix) with ESMTP id B5E7A37B401 for ; Thu, 4 Oct 2001 19:42:48 -0700 (PDT) Received: by mail.lewman.org (Postfix, from userid 1004) id 569C33DEC; Thu, 4 Oct 2001 22:42:48 -0400 (EDT) Date: Thu, 4 Oct 2001 22:42:48 -0400 From: Sean Lutner To: Mike Tancsa Cc: freebsd-security@FreeBSD.ORG Subject: Re: HA/Failover options Message-ID: <20011004224248.C525@rentul.net> References: <20011004220637.B525@rentul.net> <5.1.0.14.0.20011004220840.04858b48@192.168.0.12> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <5.1.0.14.0.20011004220840.04858b48@192.168.0.12>; from mike@sentex.net on Thu, Oct 04, 2001 at 10:12:10PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Behind the firewalls is two sets of switches, load balancers and then a farm of sun boxes. I've thought about OSPF, but I didn't want to have to run routing protocols on my firewall. It would most likely work however, maybe I'll test that too. Thanks sean On Thu, Oct 04, 2001 at 10:12:10PM -0400, Mike Tancsa wrote: > > What do you have behind the firewall ? Are all the boxes capable of any > sort of dynamic routing ? Using OSPF for example, you could have your 2 > boxes advertising the default gateway, one with a more attractive cost that > the other. Even Win2K has OSPF capabilities. It might be an easier way to go. > > ---Mike > > At 10:06 PM 10/4/2001 -0400, Sean Lutner wrote: > >Hello... > >I've recently been tasked with coming up with a redundant/failover > >firewall solution to replace our managed firewalls. The goal is to have > >more control, and spen dless money. So, after some research I decided > >FreeBSD with ipfw and vrrp would do the trick. I set out to in stall and > >configure everything. I noticed when trying to install vrrp from ports > >that it's been tagged forbidden, and confirmed this after searching the > >-security archives. The problem I'm running into is this. I grabbed the > >code that /usr/ports/net/vrrp would have, and built it, but the > >implementation has some problems. Once failed over (slave taking over for > >master), it does not fail back without intervention. If you down an > >interface with a vrid on it, somehow the vip stays in the interface > >causing problems. My basic question is this. Is there anyone else out > >there running redundant/failover firewalls using freebsd? If so, what are > >you running? I found one other piece of software at http://linux-ha.org th! > > at said would build on freebsd, but no such luck. If anyone has any > > ideas, pointers, products, or thwaps in the right direction, i'd > > appreciate them. > > > >Thanks > > > >Sean > > > >-- > >Sean Lutner | www: http://www.rentul.net > >e-mail: sean@rentul.net | gpg: http://www.rentul.net/sean.sig > > > >"Imagination is more important than knowledge." -- Albert Einstein > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-security" in the body of the message > > -------------------------------------------------------------------- > Mike Tancsa, tel +1 519 651 3400 > Sentex Communications, mike@sentex.net > Providing Internet since 1994 www.sentex.net > Cambridge, Ontario Canada www.sentex.net/mike > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Sean Lutner | www: http://www.rentul.net e-mail: sean@rentul.net | gpg: http://www.rentul.net/sean.sig "Imagination is more important than knowledge." -- Albert Einstein To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message